[Freeipa-users] getent passwd / group

Jakub Hrozek jhrozek at redhat.com
Tue Oct 28 01:57:33 UTC 2014

On Mon, Oct 27, 2014 at 11:38:14PM +0000, Craig White wrote:
> RHEL 6.5 - new install
> ipa-server-3.0.0-42.el6.x86_64
> 389-ds-base-
> On the master, I get nothing
> [root at ipa001 log]# getent passwd admin

We need to debug this one. I suspect DNS..

> [root at ipa001 log]#
> But it works on the replica as expected
> [root at ipa002nadev01 ~]# getent passwd admin
> admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
> I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before.
> Partial from /etc/sssd/sssd.conf
> [domain/stt.local]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = stt.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa001nadev01.stt.local
> chpass_provider = ipa
> ipa_server = ipa001nadev01.stt.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> domains = stt.local
> debug_level = 6

Note - the debug_level directive belongs to the domain section. If
present in the [sssd] section, only debugging for the main sssd process
is enabled.

> Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands?

No, this is by design. See the description of the 'enumerate' parameter
in sssd.conf, there is also an explanation on why enumeration is off by

> What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked?  I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.

As Dmitri said..

More information about the Freeipa-users mailing list